Product Optimize Breakout Summit/2020: The Future is Now! Using Machine Learning to Automate Plugin Updates + Secure Your Site

Did you know plugin vulnerabilities represent 60% of the known entry points for website attacks? Learn how Smart Plugin Manager uses machine learning & visual regression testing to automate plugin updates and keep your site secure. Bonus: get a preview of exciting platform enhancements launching in the next coming months.

Video recording of session

Slides from the session

Annan Patel, Senior Product Manager, WP Engine discusses: 

  • How to use machine learning to manage plugins and keep them up to date with Smart Plugin Manager for automatic updates.

Why visual regression testing? Things like a broken call to action or a missing form field – that’s a broken site. That means your user can’t use your site the way you’ve intended.

Full text transcript


– Welcome everyone to WP Engine Summit 2020, the digital breakthrough conference. I’m excited to talk to you today about our topic, the future is now, using machine learning to automate plugin updates and secure your sites.


My name is Annan Patel, just to introduce myself. I’m a senior manager on the product management team here.


Let’s talk about managing your plugins. I always love these slides that just show a few numbers, and here’s my slide with some numbers.


On average, a WP Engine site has 16 plugins. Our own security team here at WP Engine has identified 144 different plugin vulnerabilities just in the last six months.


Finally, through surveying and talking to our customers, we estimate on average, a customer spends about eight minutes updating their plugins manually. So, you’d imagine, if you have 16 different plugins that have, different updates throughout the course of a week or a month, and you’re managing multiple sites, this is going to add up to a lot of time, but we know that this is important because keeping these plugins up to date is the easiest way to keep your site secure.


So, by not updating your plugins, you’re introducing unnecessary risk. We also talked to our customers about managing their plugins and two of our largest customers gave us some pretty interesting insights.


Marriott has a person who updates plugins across their entire portfolio of sites, and they know that that’s not the best use of their time.


Thomson Reuters, they know how valuable the WordPress ecosystem is, but they also know that it’s third party software and third party software introduces potential risk.


And so, ensuring that you can be up to date on your plugins, again, is the easiest way to de-risk your site.


So, let’s talk about our solution. We launched Smart Plugin Manager last year, mid last year, and we believe it is the best plugin management tool on the market.


It’s the only plugin management tool that will automatically update your plugins and then deliver success criteria with visual regression testing.


And we’ll talk about that more here in a little bit. Smart Plugin Manager is also fully automated.


And so, if we think that your site has broken after a plugin update, we’ll roll it back and let you know that, “Hey, we’ve restored your site to its previous state so that you can take a look at those plugins to understand if those visual changes are acceptable or not.”


So why visual regression testing? We know that some visual changes can just be difficult to identify. You know, things like a broken call to action or a missing form field, that’s a broken site. That means your user can’t use your site the way you’ve intended.


And sometimes these changes are just small pixels and it’s just not reasonable for a person to be able to identify those changes, particularly across multiple pages on multiple websites.


This is a costly endeavor and it’s one that’s just begging to be automated.


So with our visual regression testing capability, we’re able to identify these changes at scale, and actually let you know that your site might have been broken by a plugin update.


So, in terms of how we use visual regression testing, when we know that your site has plugin updates available, we take a screenshot of your homepage and some other pages on your site, based on your site map, we will run the plugin updates, and then take another set of screenshots.


We’ve also taken a backup of your site during this process. We’ll then compare that before and after screenshot, do a pixel by pixel comparison to actually identify areas of change.


And then our machine learning model will actually classify those visual changes as either significant or insignificant, and you can take a look at these examples. cause we know that some visual changes are fine.


They’re expected, things like a captcha, of course that’s going to change. But when it’s a significant change, which is critical site functionality broken, or a significant change that will dramatically alter the user experience of your site, these updates are significant, these changes are significant, and we deemed these updates unacceptable.


In this case, we’ll roll the updates back to your previous state and let you know.


So again, you can check these changes out for yourself and understand what might be causing them.


So what’s new, we’ve made a lot of great investments in Smart Plugin Manager over the last several months, I’m excited to share a few of those updates.


So, improved visual verification. We’re constantly investing in our visual testing capabilities because being able to classify, being able to identify and classify visual changes on your site is really why Smart Plugin Manager is so essential to our customers.


And so, we’ve made big investments so that when we’re actually taking screenshots before and after updates, we’re able to identify the specific frame of an animation so we can better classify

if a change occurred, and if that change is significant or insignificant.


This has also led to a faster plugin updates process.


We know that keeping your site up and available for your customers is top of mind and the quicker we can conduct updates and the quicker we can verify that those updates were successful or unsuccessful, the quicker your site can be back up and your users can get the value out of your business.


We’ve revamped our user experience. We’ve made big investments in improving our onboarding

and bulk site management capabilities.


Today, we believe Smart Plugin Manager can truly be a set it and forget it type of tool, and we wanted to create an experience that really made that easy.


So, when you get started with Smart Plugin Manager now, we’ll actually walk you through how to enable your sites, configure the settings to your needs, and really just set it and forget it.


And you can do this for one, dozens, or hundreds of sites, all in one seamless experience.


And this is all available in WP Engine’s user portal, so no need to log into dozens or several WP admin instances, this can all be done within our portal.


And finally, we’re constantly delivering on what we view as customer inspired features.


Customer feedback, listening to our users, is vital to how we prioritize the work that we put into Smart Plugin Manager, and we’ve delivered on several features that we know address specific customer pain points that we’ve heard.


First, we now offer a weekly update frequency. If you’re a longtime customer, you know, we traditionally have conducted updates daily, as we believe that this is the best way to keep your site secure.


But we know that a lot of our customers have very defined maintenance windows for when they would like for updates to occur, to coordinate with other actions they might be doing to maintain their site.


So, by offering a weekly update frequency, we’re better adapting to some of those, new workflows and processes that many of our customers have.


Likewise, we now support custom plugins that are hosted in private Git repos.


We know a lot of our users and lot of our customers are building their own plugins and updating those along with the publicly available and commercial plugins that Smart Plugin Manager has traditionally updated is just as important to automating. So, we now support these plugins as well.


And finally, we know that visual testing is a great way to tell if a plugin update was successful or unsuccessful, but there are verifications that go beyond that.


And so now, one new feature we’ve added to Smart Plugin Manager is that we now check for title and tag changes that can impact things like SEO or the way that content is rendered on your social channels.


The user experience is more than just your website. It’s how your customer finds your site, how they interact with it across all of their channels, and then ultimately how they, they interact with the site itself.


So thinking about that entire process is now something that is top of mind for us as we invest in Smart Plugin Manager and SPM will now check for these changes and let you know, so you can get ahead of any impacts there might be to your search engine rankings or the way that content renders on channels like Facebook or Twitter.


So that’s what we’ve been working on.


Let’s talk about what’s coming. This is always the exciting stuff, right?


So, looking ahead, we really want to double down on a few areas that we’ve been investing in.


Let’s talk about usability and user experience first. We want to move more of that SPM experience into the user portal.


Today, if you’re a smart plug and manager customer, you’ve probably seen our emails where we let you know what happened, we’ll tell you what plugins are updated, and we’ll give you the actual screenshots if we’ve identified visual changes.


We want to let you actually compare those in an easier way. And we want to move more of this into our user portal.


So look for updates to the Smart Plugin Manager experience in portal that will actually show you the results of updates along with providing you that visual comparison capability.


Likewise, we want to provide historic update data so you can actually see the different trends across all of your sites and get insights about specific plugins is particularly to understand which plugins are consistently causing visual changes and which ones might be, you know, have no problems at all, which is always the goal.


And finally getting back to helping our customers, adapting to our customer’s workflows. We want to give you more visibility about when updates occur and what plugins will be updated.


And again, just to better accommodate your workflows and work within your processes.


We’re always investing in our visual regression testing capabilities. And this is another area where we’ll be making some significant investments for the rest of the year.


We want to continue to invest in our ability to identify site elements and get better at classifying them as significant or insignificant.


We want to make this process faster because again, the longer updates occur, the longer your site might be inaccessible to your customers, which is ultimately an impact to your bottom line.


And then, finally, as we’re adding more testing capabilities, we want to give you the power to choose which tests are the most relevant to you.


So as we add more, more granularity around our SCO checks, for example, or provide different

options for visual testing, giving you the power to choose which tests make the most sense is top of mind for us.


And finally, we know so many of our customers are agencies. You’re managing customer sites

and using SPM as a key tool as part of that process, which we thank you for, and we want to continue to help you serve your customers.


And so we plan on working on several features that we believe empower our agency partners.


First and foremost is client reporting. And this is something we’ve heard from a lot of our agency partners.


We want to give you the ability to provide an artifact, a document to your customers, to let them know the great work that you and WP Engine and Smart Plugin Manager have been doing on behalf of them to maintain their site, to keep it secure and up to date.


Likewise, we wanna provide even more granular update windows. We have the weekly update frequency now, but we want to get to a state where we can actually listen to our customers and give you, whether it’s by the hour on a specific date but that level of granularity, so that there’s more predictability.


And again, so we can better adapt to your workflows and processes and work around your developer’s schedule and not vice versa. 


And finally, plugin updates is one aspect of plugin management, but we know that there’s so much more than that.


So we want to make the user experience a much more comprehensive multisite plugin management experience, giving you the ability to actually look at plugins across all of your sites, make better decisions about which plugins make the most sense based on your use cases, and then providing the key analytics and feedback that Smart Plugin Manager has gleaned over the past several months, that again, can help you make better decisions about the right plugin for the right job you have.


And, I guess, the final announcement I get to make, I get to do my best Oprah impression. We are now including one Smart Plugin Manager license with all of our premium

and enterprise plans on WP Engine for life.


So, if you’re a WP Engine customer with a premium enterprise plan today, you now have access to Smart Plugin Manager included with your plan for one site.


If you’re thinking about joining WP Engine and you end up joining with one of our premium enterprise plans, you’ll also get access to this.


So, this is a full unrestricted license that is yours in perpetuity for the life of your account.


We hope you enable one of your sites and can see the benefits of automation and using machine learning to secure and keep your site up to date.


So with that, I really appreciate your time. We’re going to stick around and we will be available to answer any questions you might have about Smart Plugin Manager, managing plugins, how we conduct visual testing, or really anything related to that.


So with that, we will talk to you soon, and thank you again.


– Hey everybody, it’s Monica Kervana, here from my home in Austin, Texas, happy to moderate questions with Peter Mochkow.


And, if I was talking to you live at the Austin Summit, I’d be asking you how I just did on my Polish accent.


Peter, I’m sure it wasn’t the greatest, but you guys, Peter is the original brains behind the original Smart Plugin Manager.


And so this is an exciting opportunity to get to talk to him based at his home in Poland, and talk about Smart Plugin Manager after Annan’s great session that you just saw.


So, we’re gonna look at the questions and have this amazing long distance conversation with a global audience. It’s pretty awesome.


So, Peter, first question for you, are there types of sites that the plugin updater, Smart Plugin Manager, does not work well?


– Yes, definitely. There are, in this kind of website, that we have problems with. These are mostly websites that have a big sliders and only random content.


So on every page load, everything is changing and there’s no constant, constant text or anything that we can see on every page.


– Okay, okay. Sort of an extended question from that, are there types of plugins that typically cause more issues than normal?


– Usually these are commercial plugins and you have to have a valid license subscription or software or something like that, to be able to download the update. And it’s not like those plugins are not working at all.


The problem is that usually people don’t have the valid license, they forgot to ring it up, and then SPM is not able to update such plugins.


– That is a good pointer. You gotta check those things to make sure. Okay, that’s helpful.


Here’s another one for you, Peter, does the testing detect non visual errors?


– Yes. So we are not only checking if there are any pixels change on your website, we test your website based on different criterias.


Like, a simple example, if we update a plugin on your website and there’s a PHP fatal error on your website will affect that.


And yeah, we’ll tell you about that, but that might wriggle in the change on your website, but there are also other things like there might be a PHP warning or notice that might be not visible on your website and your website seems to be working fine because there is no change.


But when you try to submit a form, it might occur that it’s not working because of that, that warning or notice, and will detect that and notify you about that.


– Awesome.


Here’s a question, I want SPM to do a pull request instead of updating the actual environment. Is this on the roadmap?


– No.

Right now we are only updating websites on an environment that is connected to, to the SPM.


And the reason behind that is, again commercial plugins, it will try to update your commercial plugins on a different stage and a different environment, it may occur that it won’t be working because the license is attached to a specific domain.


– Okay. I hope that answered your question.


Not able to see who’s answering what, sorry everybody out there.


Okay. Here’s another one for you, Peter. Can you share what client reporting will contain?


– That’s still being discussed,


but what I can imagine that the report will include, so definitely there will be information coming from SPM. So there will be plugins, which we have updated from which version to which when it has happened, whenever there was any problem with that.


And we are thinking about including some more stuff in those reports not only from SPM, there might be a wintering part and to let you know when your website was down and hopefully it wasn’t at all.


And, yeah. And there might be some other performance things that we might include in the report.


– Okay. Also, sort of in the agency client question category, can an agency use SPM and have it paid for by the client?


– Currently, we sell SPM as package and you have to buy a specific number of licenses.


And currently only you as an account owner have to pay for that. So you have to agree with your client  how you want to charge him for that.


– Yup, okay. Got it.


When will one free license for SPM be enabled in the WP Engine dashboard?


– Okay, so you should already see those license available. Even right now.


– Yes, great.


Oh, here’s a good one, Peter. How does virtual regression testing work Annan mentioned machine learning, does this mean the underlying algorithm or model actually gets smarter after each transaction?


– No, so it doesn’t work that way. So we are in control of this machine learning model and it is a supervised learning.


So, to make it better, we have to teach our algorithm once again to improve.


And we are doing that from time to time when we gather enough data to try to improve the model.


– Okay.


Okay. This is coming as an additional question from the one that we had just previously, which plan type offer the free SPM license?


– So, all educators and clients should see SPM.


– All SPM Enterprise plans.


– Yes.


– Okay.


We’re bouncing around a little bit, Peter, sorry.


Just questions all over the map here. Is there a way to tune or guide the machine learning ourselves?


– There will be, not right now, but we are going to improve the experience

in the user portal where you can currently only change settings for SPM.


And we are going to provide more extended results of SPM. Cause right now you only get email notifications where there are some information that we have more details to share with the clients.


And we are going to share those data in the portal. We are also going to provide the feedback loop that the customer can give us a bit that you disagree with, with what our machine learning decided.


And this way you can help us to improve the model.


– Awesome. I love open source.


In the looking ahead section, Annan talked about custom reporting, can you share some more detail on that?


– What they mean by custom reporting?


– I think this is about the custom, customized reporting within the product. And how a little bit more detail they’re seeking on that.


– So that’s still being discussed. And so no specific details yet, but our goal is that the client can take this record and send directly to his client, their clients.


So that will be, there will be some kind of white labeling that you can add your logo, maybe change your colors, or it will be in the neutral colors that will fit your brand.


So this kind of customization, definitely there will be, maybe it will provide a way for people to just switch models they want to add to the report, for example, you want SPM, but you don’t want monitoring.


– Yeah. I can’t believe that we’ve got through all of our questions.


We could hang on the line if some of you have just been pondering, but haven’t typed your question in yet. We’re more than willing to do that.


I know this is an exciting product within the WP Engine platform. So, we’re ready.


– Yeah. We’re waiting for you.


– We’re ready.


Here’s one for you, Peter. Would you generally recommend Smart Plugin Manager for all types of sites?


– Yes. I mean, I don’t see any specific type of website that you shouldn’t use SPN.


If you’re using WordPress, and definitely you are, if you’re on this conference, then you have plugins there is no WordPress website without plugins, and you have to keep your plugins up to date.


So there’s no reason why you shouldn’t SPM.


– Perfect.


You know, I think I just want to, for fun, ask you a fun question before we close out. How are you staying sane and having fun during COVID?


– Oh, so that’s a really interesting one. I’m playing with, or building Lego blocks together with my sons. So that’s what we are doing together.


– How wonderful. That sounds great. New hobby.


– Yeah, new hobby.


– Yeah. See, once a builder, always a builder. You’re just expanding your horizons.


– Exactly.


– Yay.


Well, what a joy to talk to you from Austin to Krakow, like with a global audience. What time is it there right now?


– It’s almost 10:00 PM right now.


– Okay, look at this, amazing.


Well, Peter, thank you. I hope you all benefit from this Q&A session and we’ll go ahead–oh, hey, look, there’s another question before we sign off we will ask it, do you have to purchase multiple licenses for multiple Smart Plugin Manager environments?


– Yes. So one environment is one license. If you want to run SPM, for example, on production and staging, then you have to have two licenses.


But you have to think about that, that commercial plugins might not work in your staging environment. So it might occur that SPM will tell you that we have problems if you update your plugins on staging but it might work on the production because your domain is connected to your commercial license.


– Okay, great. Let’s see if we might have one more, I’m pausing. I think this might be a wrap everybody.


Nope. One more. How easy is it to roll back changes?


– So, SPM by default, rolls back any detected changes, but if, let’s say SPM will detect changes as insignificant and you don’t agree with that judgment and you want to roll it back,you can just go to our portal to the backup sections, and just run another roll back as you can do with any other background.


– Okay.


Great. Well, again, thank you everybody. Appreciate this. This session had a lot of great questions and I look forward to seeing you in the next breakout or whichever one you choose to hear next. Thanks again, Peter.


– Thank you.

Get started

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.